Certified E-Mail with Comodo and Thunderbird

This is intended to be a theoretical/practical tutorial on how to use email certificates to encrypt and digitally sign your emails. There are approximately 2 million emails transferred every hour, out of which 80% are spam, and the email world is really creepy, so I strongly recommend you to read the rest of this post.

First of all, let's cover some theory. There are three Internet protocols involved in sending and receiving emails: SMTP, IMAP, POP

Simple Mail Transfer Protocol is the one responsible for sending emails. An email client - where you compose your email, set recipients, attach files, etc. - sends your email data to a mail server via SMTP. The protocol is fairly simple and the only things worth mentioning is that it can do that under SSL (encrypted connection to server to transfer mail) and use Password Authentication to separate accounts.

Pactical Scenario: GMail

Most of us have used GMail, via creating an account in gmail.com and logging in there. It is very important to know that gmail.com is GMail Client, and smtp.gmail.com is GMail Server. When you log into the GMail, you access its client application, and do your stuff there. Since both client and server applications are on the same machine (Google Servers), your work is quickly sent to the server, that's why you usually don't notice.

Everybody can setup a Mail Server on their machine. Famous mail server applications are Microsoft Outlook for Windows and Exim and Postfix for Linux machines. GMail uses neither and has a custom coded server. You don't need to provide a password to a mail server, neither you have accounts there. You can send any email from any server to any server, i.e you can send email from admin@facebook.com with any body you want to me@abiusx.com. It's just a packet of data with a name on it (just like ordinary mail).

Famous servers like GMail, that deal with millions of users and lots of spam, implement technologies that require you to login, have accounts and do things lawfully. Other servers don't. Mail that doesn't follow GMail and other famous mail server's rules, are usually treated as spam.

Back to the theory

POP usually used as POP3, is the old-school mail receiving protocol. Mail client uses this protocol to download all mails from the server. The protocol is very handicapped and weak, much like FTP.

IMAP on the other hand is a pretty recent and powerful mail receiving protocol, so basically POP and IMAP are replacements of each other. There were days when not many mail servers provided IMAP to their clients, now almost every web server provides full IMAP support. GMail's IMAP is accessible at imap.gmail.com (Keep in mind that this is the domain for IMAP protocol, and not HTTP, so heading your browser to it would not bring up anything)

* * *

Today, many important interactions are done electronically. You can even buy cars online, and all of this involves some emailing. The providers email you your balance sheet, your username/password, your instructions for your education, your contest results and many many other things.

Theory: The problem(s)

1. Now consider something bad happens, such as a hacker forges an email from your university, telling you that you're fired and can not continue your education, or that you need to pay certain money to a certain bank account. You have no way of telling if it's legit -sent by the university- or fake (remember, email is just mail in bytes, and as forge-able as mail).

2. The other bad thing that might happen is, eavesdroppers and even your mail provider, would read your mail and extract content form it. You can be quite certain that every picture, every piece of information, every Word document and everything else you send through GMail is deeply analyzed by Google and stored to be handed over to CIA, NSA, etc. It doesn't matter if your own email is @gmail.com or your recipient's, either way your email passes through GMail servers.

Even if you have your own Mail Server (like my mail.abiusx.com), when you send/receive email, your message is passed through many email posts around the globe, and they seem to do the same analysis.

Theory: The solution

To stop forgery, you need to actually prevent two things: Manipulation of your message headers (who it is from) and manipulation of your message content (what it contains).

Digital Signature, is the well known solution, which provides both Authenticity (proving who the signature really belongs to) and Integrity (not a single dot in the message is changed). The mechanics of Digital Signature are quite complex, yet they rely on Public Key Cryptography.

Public Key Cryptography, provides us with a system having a pair of keys, the Private Key, and the Public Key. Everything that is locked with either is only unlockable by the other, e.g if you encrypt a message with someone's public key, the message can only be decrypted by his private key -which is in fact only in his own hands-.

Unfortunately, to use everything related to the Public Key Cryptography, we need to use PKI (Public Key Infrastructure), and to use PKI, we need to obtain a SSL Certificate (Which contains our information and our public key, but not our private key). SSL Certificates are considered a luxury and are quite expensive for individuals (approximately $100 a year for every single use case).

Fortunately, Comodo is providing free email certificates so that everybody can send digitally signed emails.

To handle the second problem, we need encryption. We have to encrypt our email body, in a way that only our final target can decrypt and read it. Since email is not live, we can't agree on a particular key and transfer data encrypted with it, and more importantly, our target usually is not aware of us sending an email to him.

To encrypt the message in a way that only our specific target can read it, we need to have his public key (which is included in his certificate) and encrypt the message with it, ensuring that only he himself can decrypt it with his private key. Unfortunately, there is no online database having certificates of all emails, so we need a means to obtain our targets certificate before we can send him encrypted messages.

This is particularly easy, considering every digitally signed message contains a copy of signer's certificate at the bottom, so if we are using a modern mail client (2010+, when S/MIME was standardized by IETF) and we receive a digitally signed email from someone, and we ourselves have a digital certificate (to sign our own messages), our mail client automatically stores that "someone's" certificate so that from then on, we can send him encrypted emails.

Now enough with the theory babble, off to enjoying the real deal:

Practice: Let's send and receive encrypted, signed email

First of all, we have to have a modern mail client. Unfortunately, neither GMail's web-based client nor Yahoo's web-based clients support S/MIME yet. I myself strongly recommend you to use the mighty Mozilla Thunderbird, the best mail client I have seen after Apple's Mail (which only runs on a Mac).

After downloading Thunderbird, we can at least see if a message is digitally signed, and if it's signature is valid or not. With GMail and Yahoo's web based clients, we only see a downloadable smime.p7s file!

The first time Thunderbird stars up, it asks for your email account credentials. Keep in mind that you can not use free Yahoo mail with Thunderbird or any other mail client (other than Yahoo's web site), since they do not provide free POP3 or IMAP. Any other mail service is fine. After you enter your email credentials, Thunderbird automatically lists all your email settings, folders, and messages. There are also plenty of options to suit your particular needs. Now whenever you receive new email, Thunderbird informs you and you can easily see it, without the need to open a browser or even go online.

Next step is, to obtain an email certificate for our own email address. As I stated earlier on this post, Comodo is providing them for free to encourage secure email practice at :

The only thing that you have to enter correctly there, is your email address. All other fields are mandatory for a X.509 Certificate but are not checked against anything. After you fill the form, an email is sent to you, containing a link to receive your certified certificate. I suggest you visit this link with Mozilla Firefox, it makes thing a hell lot easier.

You need to add this certificate to your system. If you're using a Mac, it will be added to your Keychain, but on Windows, every application keeps it's own list of certificates, the operating system also does the same. When you open the link in Firefox, a dialog pops up telling you that the certificate was successfully installed. Now you need to go to Tools -> Options -> Advanced -> Encryption -> View Certificates -> Your Certificates and select it from the list, click Backup and save it somewhere on your computer inside a .p12 file (PKCS#12 Protocol). You need ot provide a password to encrypt the file, since it contains your private key as well as your certificate. Keep in mind NOT TO give this file to anyone, or they can legitimately forge you.

Now in Thunderbird, Tools -> Options -> Advanced -> Certificates -> View Certificates -> You Certificates press Import and select the file you just exported. You need to enter the password you used to encrypt it now, and once it is imported into Thunderbird, you're all set.

Now open a new mail window, click on the Security arrow in toolbar, click on "Digitally Sign This Message". A seal icon is added to the bottom right of your message. You can't encrypt your message yet, since you haven't stored anyone else's public key in your Thuderbird. I suggest you send me your signed email, and I'll reply it with my signed email, so you will have my public key and can send me encrypted email afterwards.

Note: The first time you click on "Digitally Sign This Message" there's a question asking you to setup certificates for your email address. Click yes and select your imported certificate from the list. This is necessary since Thunderbird can handle plenty of mail addresses at the same time, and has to know which certificate belongs to which one.

Have fun sending/receiving signed and sealed email!

Edit 1:

In case you're using this with Apple Mail.app, you have to provide your admin password everytime you submit a signed mail. That's because Mail.app will need to access your private key (in Keychain Access) to sign a message.

You should do all the steps using Firefox (either if you're using Mail.app or Thunderbird). When you visit the initial certificate creation page, COMODO creates a private key and stores it in your browser, so after you get the email you should open it in the same browser, or you would see an error (private key not found). Also Firefox has easiest backup feature.

can't say

In case you’re using this with Apple Mail.app, you have to provide your admin password everytime you submit a signed mail. That’s because Mail.app will need to access your private key (in Keychain Access) to sign a message.